Practice Fusion case suggests 6 health privacy pointers

Share This Page

Combine two of the most talked-about consumer protection topics – health privacy and consumer-generated online content – and what do you get? A proposed FTC settlement with Practice Fusion, the largest cloud-based electronic health records company in the country, and six compliance tips for others in the industry.

One of San Francisco-based Practice Fusion’s primary products is an electronic records system for outpatient providers. In 2009, the company launched “Patient Fusion,” an online portal where patients whose providers were already using Practice Fusion could view or download their health information or transmit it to another provider. Patient Fusion also let patients send and receive secure messages from their providers.

Fast forward several years and the company decided to expand Patient Fusion to include a public directory where current and prospective enrollees could search for doctors geographically or by specialty, read patient reviews of providers, and request appointments. But Practice Fusion had to ask itself a question familiar to many online companies: How do we get the content – in this case, patient reviews? That’s the focus of the FTC’s lawsuit.

According to the complaint, Practice Fusion solicited data in a misleading way that led some patients to believe they were sending follow-up messages directly to their doctors about their diagnosis, medical treatment, prescriptions, etc. – and not contributing content to a public website. Practice Fusion, however, populated its new site with the information those people provided, some of which was highly sensitive.

Here’s what happened. After appointments with their doctors, patients received emails titled “How was your visit?” The message continued, “To help improve your service in the future, please let us know how your visit went” and included a link with rating stars. The message ended this way:

Thank you,
Dr. [Name]

In a footer, the message said “This email was sent to you by Patient Fusion®, a tool Doctor [Name] uses to deliver the highest quality of care to patients.” Below that in smaller print it said “Sent on behalf of Doctor [Name]’s office by: Practice Fusion.”

If patients clicked the link, they were taken to a page that asked for feedback about things like how long they had to wait for their appointment, the doctor’s bedside manner, and whether their medical concern was addressed.

There also was a text box where patients were invited to “leave a review for your provider.” Below that was a pre-checked box with the phrase “Keep this review anonymous.”

What did some people put in that box? Highly sensitive information directly addressed to their doctors, not evaluations meant to be shared publicly. Here are just a few examples:

  • “Dr [name], My Xanax prescription that I received on Monday was for 1 tablet a day but usually it’s for 2 tablets a day. I have not taken it to the pharmacy yet. Can I pick up a new one, or can I get a prescription called into a pharmacy? Thanks, [patient’s full name]
  • “I called today and left a message regarding my daughter and no one has returned my call. I think she is depressed and has stated several times this week that she wishes she was dead. Could someone please call me [phone number]?”
  • “The cefuroxime axetil does not seem to be doing anything for me. I did a little research and I think I have a yeast infection called candida. Not sure what to do about it yet. I guess I will first try to change my diet. Medication? [patient’s full name]
  • “I would like to make an appointment for my back pain and possible shingles. Can you please call me @ [phone number]? Thank you! [patient's full name]”
  • “I HAVE NO INFECTION [healthcare provider name].  EVERYTHING WENT FINE AFTER MY VISIT, SO IT’S A GO FOR MY CHEMO DAY…..THANKS HOPEFULLY I WILL SEE YOU TOMARROW AT METHODIST HOSPITAL…..THANKS… [patient’s full name]”

In the smallest and lightest type on the page, it said “For your protection, do not include any personal information.” But the FTC says the nature of the information some patients put in the box – full names, phone numbers, prescriptions received, or procedures performed – suggests that they thought they were sending follow-up questions directly to their doctor’s office.

What about that pre-checked “Keep this review anonymous” box? According to the FTC, it didn’t anonymize what the patient wrote. Instead, it just affected whether it would appear on the public Patient Fusion site under the handle “Anonymous” or with a patient’s first name.

The FTC says that went on for about a year until an article in Forbes highlighted the sensitive nature of some of the comments and questions from the text boxes published on Patient Fusion. That’s when the company put automated procedures in place to prevent the posting of reviews where consumers had entered personal information.

In a one-count complaint, the FTC alleges that Practice Fusion represented expressly or by implication that survey responses would be communicated to the consumer’s healthcare provider, but failed to adequately disclose that it also would publish the responses publicly. According to the FTC, that fact would have been material to consumers in deciding whether or how to respond to the survey.

To settle the case, Practice Fusion has agreed not to misrepresent the extent to which it uses, maintains, and protects the privacy and confidentiality of any covered information. In addition, if the company wants to make consumers’ covered information public, it first has to: 1) clearly and conspicuously disclose to the consumer – separate and apart from a privacy policy, terms of use page, or similar document – its intention to make the information public; and 2) get the consumer’s express affirmative consent.

The terms of the settlement apply just to Practice Fusion, but there are lessons others in the industry can learn.

If personal health information is involved, handle it with particular care.  Consumers are concerned about the confidentiality of their health information and they have good reason to be. Given what’s at stake, industry members are on notice of the need for caution.

Explain your intentions. Especially for new products and services, don’t assume that consumers share your expertise. Be straightforward in your explanation and use simple words to explain what you want to do with their data.

Get consumers’ express affirmative consent before publicly disclosing sensitive information. Companies interested in winning loyal customers (and staying out of legal quicksand) ask consumers for permission before disclosing personal data and wait for a clear “yes” before proceeding. When healthcare information is at issue, it’s not the time to get cute with negative options or other less-than-clear methods of consent.

Disclosures should reach out and grab consumers. Healthcare IT is attracting companies that may not be familiar with the Commission’s approach, so here’s some FTC 101: If the disclosure of information is necessary to prevent deception, it must be clear and conspicuous. To the FTC, “clear and conspicuous” is a performance standard, not a font size. Chances are that fine print footnotes, dense blocks of text, jargon-filled doubletalk, or obscure hyperlinks won’t cut it. So if companies need to disclose information, how can they make it clear and conspicuous? Here’s a rule of thumb: Consider the same eye-catching methods you routinely use when you really want to grab a potential customer’s attention – graphics, color, big print, prominent placement, clear wording, etc.

Don’t bury key facts in a hard-to-understand privacy policy. You’ll want to read the complaint for the details, but after Practice Fusion started to collect consumer survey results for posting, it changed what it said in its Privacy Policy, but didn’t clearly disclose the information on the survey page itself. Of course, companies’ privacy policies and terms of use pages should be accurate and understandable, but relying on those pages as the exclusive means to convey critical details – for example, that you intend to post consumers’ sensitive health information publicly – is unwise.

Consult FTC resources for business. Companies accustomed just to HIPAA may be less familiar with the FTC’s approach. Visit the Business Center for compliance fundamentals. For example, .com Disclosures: How to Make Effective Disclosures in Digital Advertising talks about how to clearly convey important information online. The Mobile Health Apps Interactive Tool can help you figure out which federal law (and it may be more than one) applies to your business. And Mobile Health App Developers: FTC Best Practices offers an introduction to sound privacy and security.

The FTC is accepting public comments about the proposed settlement with Practice Fusion until July 8, 2016.

Comments

I worked for Physicians, and hospitals.

The digital age is great; HOWEVER, BEFORE, IN THE PAST BEFORE THE WONDERFUL INTERNET, ONE SHEET OF PAPER COULD NOT BE REPLICATED
AS FAST AS A DIGITAL RECORD AND IN HOW MANY PLACES, OR DO WE EVEN KNOW? THINK,
FOLKS, BECAUSE ONE RECORD CAN RUIN A PERSON'S LIFE.

It appears the FTC has taken almost all of their case verbatim from the Forbes article and there is no mention of John Lynn's blog post where he covered this on a much deeper level. Particularly how they automated these emails by the millions. How the emails were to appear like they came from doctors and the platform would create each one right after the doctor wrote a progress note. I only discovered the loop when I made a fake patient and entered my personal email address. Considering that the act of sending an unsolicited email in health care without permission is usually called a HIPAA or privacy violation, you would think they would have seen that they were only looking at a small piece of this story. The sent over 10 million of these emails without telling anyone about it. Certainly the doctors were not informed that we were going to have our databases used to solicit users for the patient portal. I guess this is what happens when you decline to speak to the press, they have trouble understanding what has happened. This is what makes health tech so attractive for some. Where else do you have huge piles of money and nobody in tech can play around with your product and tell something is wrong? Even the medical professionals in health tech usually have very limited amounts of experience working in an actual clinic so it can be hard for them to tell. Just read the original post if you are curious. http://www.emrandhipaa.com/emr-and-hipaa/2013/08/21/practice-fusion-violates-some-physicians-trust-in-sending-millions-of-emails-to-their-patients/

Considering that the act of sending an unsolicited email in health care without permission is usually called a HIPAA or privacy violation, you would think they would have seen that they were only looking at a small piece of this story. The sent over 10 million of these emails without telling anyone about it. Certainly the doctors were not informed that we were going to have our databases used to solicit users for the patient portal. I guess this is what happens when you decline to speak to the press

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.